Solved: you can use ISE ln-line

Hung Tsung Chen · ‎11-17-2014

Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?

And the wired users will get full network access after they pass the web auth.

Bastien Migette · ‎11-18-2014

Hello,

It could theorically work if the switch is able to send all attributes in accounting packets, such as IP address and mac address in calling station-id. If the attributes are missing or incorrect, the iPEP ISE will never create the session (see show pep table session).

Being that said, that probably never have been tested, so you might want to reconsider your design as there are no guarantee this can ever work.

View solution in original post

Bastien Migette · ‎11-18-2014

Hello,

It could theorically work if the switch is able to send all attributes in accounting packets, such as IP address and mac address in calling station-id. If the attributes are missing or incorrect, the iPEP ISE will never create the session (see show pep table session).

Being that said, that probably never have been tested, so you might want to reconsider your design as there are no guarantee this can ever work.

Venkatesh Attuluri · ‎11-21-2014

you can use ISE ln-line posture node with 3rd part switches

RADIUS access device must supply the following RADIUS attributes:

Calling-Station-Id (for MAC_ADDRESS)

User-Name

NAS-Port-Type

RADIUS accounting message must have the Framed-IP-Address attribute

VLAN, DACL features can be used but again it depends on switch models let us know specific switch models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

ISE web auth for non-cisco switch(D-link 3528)